Role in IT decision-making process:Align Business & IT GoalsCreate IT StrategyDetermine IT NeedsManage Vendor RelationshipsEvaluate/Specify Brands or VendorsOther RoleAuthorize PurchasesNot Involved

Work Phone:

Company:

Company Size:

Industry:

Street Address

City:

Zip/postal code

State/Province:

Country:

Occasionally, we send subscribers special offers from select partners. Would you like to receive these special partner offers via e-mail?YesNo

Your registration with Eweek will include the following free email newsletter(s):News & Views

By submitting your wireless number, you agree that eWEEK, its related properties, and vendor partners providing content you view may contact you using contact center technology. Your consent is not required to view content or use site features.

By clicking on the "Register" button below, I agree that I have carefully read the Terms of Service and the Privacy Policy and I agree to be legally bound by all such terms.

WEBINAR:On-Demand

The prevailing wisdom is that longer, more complex passwords and passphrases are more difficult to crack and are more secure for users. While complex passwords and passphrases are still a better approach than simple words and short passwords, new technology out this week will now make it faster to crack longer, complex passwords.

The oclHashcat-plus v.0.15 release now provides security researchers with the ability to crack passwords that are longer than 15 characters. According to the release notes, the new maximum length for password cracking is 55 characters.

Hashcat is a project that builds "password recovery" tools for researchers. The core Hashcat application is CPU-based as opposed to ocl-Hashcat-plus, which leverages the enhanced number-crunching power of a GPU. The GPU-infused power is the catch with oclHashcat-plus and is significantly faster than CPU-based approaches. Why the 15 character expansion is important is because it will potentially enable the cracking of phrases as well as long passwords.

Hashcat developers note that the new 0.15 release involved the modification of 618,473 lines of source code, which took more than six months of work. In addition to the longer password length, the new update now also supports a number of new algorithms including: TrueCrypt 5.0+1Password, Lastpass, OpenLDAP {SSHA512}, MacOSX v10.8 Microsoft SQL Server 2012 and Samsung Android Password/PIN.

At the recent DEF CON security conference, there was a contest that I wrote about that was specifically all about seeing how researchers go about cracking passwords. As it turns out, the hashcat developers specifically credit the "Crack Me If You Can" contest organized by security vendor KoreLogic as well as the Positive Hack Days (PHD) Hashrunner contest.

"These contests give us a good view on what a typical pentester/IT-forensic needs and shows a direction to go," the oclHashcat-plus v.0.15 release states.

From my point of view, the emergence of oclHashcat-plus v.0.15 just means it is now that much harder to create a truly secure password. It should also serve as a reminder that the password should never be the only line of defense for technology infrastructure, but rather should be part of a layered approach, including multiple forms of authentication to help mitigate risk. Event auditing and logging is also critical in the modern IT infrastructure. That way, you know when you've been breached so you can rapidly change your (long or short) password.

Sean Michael Kerner is a senior editor at eWEEK and InternetNews.com. Follow him on Twitter @TechJournalist.

Advertiser Disclosure:
Some of the products that appear on this site are from companies from which QuinStreet receives compensation. This compensation may impact how and where products appear on this site including, for example, the order in which they appear. QuinStreet does not include all companies or all types of products available in the marketplace.